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(54) Secure virtual LANS 



(57) The present invention dfedbses a method for 
securely adding a new end station to a total area net- 
work (LAM) segmented into a number of virtual local art 
ea networks (VLANs). Trie inve^ 
bus types of LANs such as Bhemet and token ring. The 
LAN comprises an authentication server (AS) which in- 
teracts with each new end station before connection to 
a VLAN is attowedL The method involves the AS adrrw^ 
tsteringa test to the new end station, which may roolve 
prompting the new end station lor a password or askirtg 
it to encrypt a given number using a secret algorithm 
known ortty to the new end station and to the AS. The 
AS examines the results of this lest and determines 
whether the new end station is permitted to join the 
VLAN. For adtted security, the new end station can ver- 
ity authenticity of the AS by acrrroistenrig a test of is 
own, which may consist of prompting the AS for a pass* 
word of its own or asking it to encrypt a new number, the 
new end station stftscojuenBy determining whether the 
AS is indeed genuine before beginning to transmit any 
further information, tn this way, an end station cannot 
join a VLAN without aut hen tic a t i o n by the AS and a le- 
gitimate end station can verity whether the test it is 
asked to pass comes from a legitimate source, thereby 
avoiding network security I 



fig. 2 
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Description 

Field of me Invention 

[0001] This invention relates to local area networks, 
and specifically to a method for improving the security 
of information circulating within a virtual beat area net- 
work. 

Background of the Invention 

[0002] Conventional local area networks (LANs) can 
be thought of as comprising a number of end stations 
.(or terminals), connected to each other by a comb inati on 
of links and switches. In addition, distant switches can 
be connected by virtual connections (VCs) passing 
through asynchronous transfer mode (ATM) switches. 
Such an extension of a LAN is often re 
emulation over ATM (LANE) environment As the 
number of end stations in the LAN or LANE envir on m ent 
grows, congestion of traffic and security isstres become 
grave concerns of achtmistrators of such networks. 
[0003] Segm e ntation of the LAN or LANE environ- 
ment into a number of vinlel LAI^(v\ANs)r»been 

tion and to provide security of information traveJSng with- 
in the network. The security provided by traditional 
VLANs is based on two baste p rinciple s used tor trans- 
mitting data packets within the network. For one, broad- 
cast and m u lt icas t traffic is transmitted only to end sta- 
tions that am members of the VLANL tn this case, a 
known broadcast or multicast adttress can be shared 
among i nfr a iduit recipients. Secondly* urricasf traffic is 
transmitted only between the source and destination 
end stations, although the tocation of an intended recip- 
ient can often only be determined by first broadcasting 
a "discovery* packet to other end stations wdhri the 
VLAN. Cteany network security in the prior art is based 
on the prerrase that data is transmdted only to those end 
stations that are authorized to see the d&a, thereby 
avoiding security breach 

ctous snooping by end stations outside the VLAN. A so- 
rious flaw in this approach is that end stations can join 
a VLAN w&h ittte or rio authentication by the network. 
[OOOq Memb&shiphavl^canb^ 
name, access port identifier; end station medra access 
control (MAC) address or Internet Protocol (IP) sub-net- 
work address. When membership an a VLAN is defined 
by a cces s port identifier, a network aotrarastrator as- 
signs the pbysicaJ ports (ag on an Ethernet switch or 
hub) that constitute elements of a VLAN. However this 
does not prevent an intruder from olsconnecting a tegjt- 
imate end station and connecting an Segbmate one to 
the samephyskal port Once comec tedt the BwjUmd te 
end station has access to possabry cortfidential informa- 
tion drcutabrig within the VLAN. 
[0005] VLAN membershp can ato defined by refer- 
ring to a unique 48-bit MAC addtess that is assigned to 



each end station during manufacture. In this case, the 
network administrator defines the MAC addresses of the 
end stations that constitute elements of the VLAN. 
When an end station is connected and begins transmit- 
s ting data packets, the source MAC address contained 
in each data packet is used to determine the VLAN 
where the end station belongs. Unfortunately, this does 
not prevent an intruder from connecting an illegitimate 
end station to the network and inserting the MAC ad- 
to dress of a legitimate end station into its data packets. 
Having successfully •emulated* a legitimate end station, 
the illegitimate end station gains access to restricted in- 
formation being communicated in the VLAN. 
[0006] Finally, the network administrator may also da- 
ys fine the 32-bit IP address blocks or user names of the 
end stations that are permitted to be members of the 
VLAN. The IP address and user name act similarly to 
the MAC address, and again, by inserting the identity of 
a legitimate end station into its data packets, an illegitt- 
*0 male end station can gain access to restricted data 
[0007] It would thus be of prime importance to provide 
a method of ensuring that unauthorized end stations 
cannot connect to a VLAN. Furthermore, in the case 
where an authentication mechanism would be provided 
26 to alleviate this difficulty, it would be beneficiaJ to ensure 
that unauthorized switches cannot emulate such an au- 
thentication mechanism. 

Summary of the Invention 

[0008] It is an object of the present invention to miti- 
gate or obviate one or more disadvantages of the prior 
art 

(0009) Therefore, the invention may be summarized 

36 in accordance with a first broad aspect a local area net- 
work, comprising a plurality of end stations and an au- 
thentication server, the LAN being segmented into a plu- 
rality of virtual local area networks (VLANs), each VLAN 
comprising at least one member end station, wherein 

40 the authentication server keeps track of which end sta- 
tions are members of which VLAN, keeps track of which 
end stations are authorized to join which VLAN and per- 
forms authentication of end stations joining a VLAN. 
[0010] The invention may be summarized in accord- 

45 ance with a second broad aspect as A local area net- 
work, comprising: a plurality of end stations; a plurality 
of LAN emulation servers (LESs); a LAN emulation con- 
figuration server (LECS); and an authentication server 
(AS); the LAN being segmented into a plurality of virtual 

50 local area networks (VLANs), each VLAN comprising a 
respective LES and at least one member end station, 
each LES keeping track of which end stations are mem- 
bers in the respective VLAN, the LECS keeping track of 
which end stations are members of which VLAN; where- 

ss in the authentication server keeps track of which end 
stations are authorized to join which VLAN and performs 
authentication of end stations joining a VLAN. 
[0011] The invention may be summarized in accord- 
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ance with a third brood aspect as a method for securely 
adding a new end station to a kxaJ area network (LAN), 
the LAN comprising a plurality of end stations and an 
authentication server (AS), the LAN being segmented 
into a piurafity of virtual local area networks (VLANs), 5 
each VLAN comprising a) least one member end station, 
wherein the authentication server keeps track of which 
end stations are members of which VLAN. keeps track 
of which end stations are permittBd to pin which VLAN 
and performs authentication of end stations joining a 10 
VLAN, themettodrarrtpnst^ 
station sending to the AS a message identifying both the 
new end station and a desired VLAN; the new end sta- 
tion taking a first authenticate 

ful authentication of the new end station, th^ is 
to the new end station a message indicating that the new 
end station is permitted to join the desired VLAN. 
[0012] The invention may be summarized in accoroV 
ance withafburih broadaspectasa method tor securely 
adding a new end s&Scrn to a local area network (LAN), 20 
the LAN comprising a pfurafay of end stations, a plurality 
of LAN emulation servers (LESs). a LAN emulation con- 
figuration server (LEGS) and an authentication server 
(AS), each switch communicating with at least one end 
station, the new end station being connected toaswjteh* ss 
the LAN being segmented rto a plurality 
area networks (VLANs), each VLAN comprising a re~ 
spectiveLESandat least one rnember end station, each 
UBS keeping track of which end stations are currently 
members tn the respective VLAN, the UECS keeping 30 
track of which end&tetkjns are permitted to be members 
of which VLAN. wherein the authenticate se 
torms authentication of end stations joirang a VLAN* the 
method comprising the steps c£ the new end station 
sending to its switch a message identifying both the new 3& 
end station and a desired VLAN; the switch sending to 
the UECS a message requesting identify of theLESccr- 
responcSng to the desired VLAN; the UECS sending to 
the AS a message recpesting authenticalion of the new 
end station; the AS generating a Grst encrypted number 40 
using a p&in number and an algorithm known to the AS 
and to the new end station; the AS sending to the UECS 
a message <xxnprfcing the plain number and the first en~ 
crypted number, the UECS sending to the switch a mes- 
sage comprising the plain number, the switch sending 45 
to the new end station a message conyri sw g the pfcw 
number the new end station generating a second en- 
crypted number using the plan number and the algo- 
rithm; the new end station sendfog to the switch a mes- 
sage comprising the plain number and the second en- so 
crypted number, the switch sending to the UECS a mes- 
sage comprising the pterin number and the second en- 
crypted number, the LECS comparing the first encrypt- 
ed number to the second encrypted number, the UECS 
sendmgtothsLEScorresporicfrigto ss 
a m essag e indteating that the new end station intends 
to join thedesired VLAN: the UECS sendng to the switch 
a me ssage comprising identity of the LBS correspond- 



ing to the desired VLAN; the switch sending to the LES 
corresponding to the desired VLAN a message request- 
ing that the new end station join the desired VLAN; and 
the LES corresponding to the desired VLAN sending to 
the switch a message indicating that the new end station 
is allowed to join the desired VLAN. 

Brief Description of the Drawings 

(0013) The preferred embodiment of the present in- 
vention will now be descrtoed with reference to the at- 
tached drawings, in which: 

FIGURE 1 is a block diagram of a prior art LANE 
environment; 

FIGURE 2 is a block diagram of a secure LANE en- 
vironment including two virtual local area networks, 
in accordance with the preferred embodiment of the 
present invention; 

FIGURE 3 is a message flow diagram representing 
end station authentication in the, network of FIG- 
URE 2; and 

FIGURE 4 is a message flow diagram representing 
end station and network authentication in the net- 
work of FIGURE 2. 

Detailed Description of the Preferred Embedment 

[0014] FIGURE 1 shows a local area network 50 com- 
prising a plurality of interconnected end stations 
101,102.105,106 such as personal computers, work- 
group servers or mainframe computers. Although for il- 
lustrative purposes the network is assumed to be an 
Ethernet LAN, the present invention applies equally well 
to other types of LANs, e.g, token ring, high-level data 
Dnk control (HDLC) and AppleTalk. 
(001 5] In an Ethernet local area network, a frame sent 
by a transmitting end station in the LAN contains a head- 
er identifying the transmftthg end station 
ed recipient end station (using, eg., source and desti- 
nation MAC addresses), as well as information to be ex- 
changed. The Ethernet frames can be transmitted using 
the Carrier Sense Multiple Access with Collision Detec- 
tion (CSMA-CD) protocol or any other media-access 
control protocol known or used in the art. In FIGURE 1, 
the two end stations 101,102 sharing an Ethernet link 
201 can communicate with each other without additional 
interfacing, as any frame transmitted on a given shared 
link is 'seen" by all end stations connected to that link. 
[0016] An Ethernet switch 301 connects muftiple 
Ethernet links 201 ,202 and enables communication be- 
tween end stations appearing on the various Ethernet 
links. The Ethernet finks 201,202 emanate from the 
Ethernet switch 301 in a star arrangement and the 
Ethernet swteh keeps track of which end stations are 
connected to which link. When an Ethernet frame is re- 
ceived by the Ethernet switch 301 , it examines the head- 
er and transmits the frame cvor the Ethernet linkcon- 
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nected to tho intended recipient; the frame is not trans* 
mitted to any of tho other finks, thereby reducing traffic 
congestion on the Ethernet links, In some inst a nces, 
end stations may be co nn ected to their Ethernet swftch 
with a dedicated Ethernet link to avoid sharing the fink 
bajKrwkflh wfth other end stations, thus providing the 
end station with the maximum possible pert oi t nance. An 
example ol this is end stations 106,106 connected to 
Ethernet switch 303 by dedicated links 206,206. 
(00171 ,n a large toca) area network, it may be neces- 
sary to introduce several Ethernet switches in order to 
further reduce congestion on Ethernet links. Although 
there a number of mechanisms for interconnecting 
Ethernet switches in a network, LAN emulation over 
ATM (LANE) represents a common approach. Ethernet 
switches 301 ,303 communicate via virtual connections 
(VCs) through an ATM network consisting of an ATM 
switch 401 , in ackfioon to AIM finks 501,503 joirtfcgftto 
Ethemei switches to the ATM switches. In a mere com- 
plex network, there may be several ATM switches fnter- 
connected by acfcfibonal ATM finks. 
[00181 The Ethernet switches keep trackot which end 
stations are connected to which of ifes local Ethernet 
unxs, artoatso Knows wrucnenosiaxions are connecrjeo 
to other Ethernet switches in tho network. A LAN emt>- 
tatton server (LE5) 602, connected to the network by an 
ATM fink 505, comprises an updated table irrigating 
which end stations, are connected to which Ethernet 
switches, so that information contacted in the Ethernet 
switches 301.303 may be kept up-to-date. A LAN emu- 
fcalkmconfiguiatim 

ATM Bnk 504, handtes interf ocrviectfion cf new end sta- 
tions into the LANE envirorfnent 
[DOT 9] When an Ethernet frame is received from an 
end station by an Ethernet switch, the header wflJ be ex- 
amined and 9 the recipient is connected to one of is 
local Ethernet finks, the Ethernet switch transmits the 
frame over tho appropreto Ethernet fink. If, however, the 
recipient is connected to anotnei koternet switch, tne 
f rame is transmitted over the appropriate ATM VC to the 
destination Ethernet switch. Upon receipt of the frame 
over the ATM VC, the destination Ethernet switch per* 
forms a normal match of destination MAC address to 
Ethernet 5nk and forwards tho frame over the appropri- 
ate Ethernet fink to the destitution end station. 
[0020] If there are too many end stations in a LAN, 
multicast and bro a dcast traffic can become major cor> 
tributors to network congestion. 76 alleviate this prob- 
lem, the network is segmented cntoa number of smaOer, 
VmiaTsub-nelworks (virtual LANS, or VLANs). As hint- 
ed at by the term NtrtuaT, end stations designated as 
belonging toa particular VLAN do not aShavetocormect 
to the one Ethernet switch nor do afl end stations con- 
nected to an Ethernet switch have to belong to the one 
VLANl Such p artitiorw Kjotthe network is transparent 
the end stations. Each Ethernet switch, on the other 
hand, comprises an internal rfafahasn to keep track of 



which end stations belong to which VLANs. 
[0021] In FIGURE 2 is shown an exemplary LANE en- 
vironment 50 in accordance with the present invention. 
Two virtual LANs can be identified: a "red" VLAN. con- 
s sisting of end stations 101-R, 102-R and 105-R, and a 
•green" VLAN. consisting of end stations 103-G, 104-G 
and 106-G. Other groups of end stations 108. 109 do 
not belong to either VLAN. Physically, end stations 
101-R and 102-R share an Ethernet fink 201 and are 
io connected to an Ethernet switch 301. From Ethernet 
switch 301 also emanates an Ethernet link 202 connect- 
ing end stations 108. Similarly, an Ethernet switch 302 
connects end stations 103-G and 104-G via a shared 
Ethernet fink 203 and end stations 109 via another 
*s Ethernet link 204. A third Ethernet switch 303 connects 
end stations 105-R and 10&-G via respective dedicated 
Ethernet links 205 and 208. Ethernet switch 303 also 
physically connects an end station 107-Ft via a dedicat- 
ed Ethernet link 207. The end station 107-R is not a 

20 member of either the red or the green VLAN, but pre- 
sumably intends to join the red VLAN. 
[0022] A LAN emulation configuration server (LECS) 
601. contains an internal database storing a record of 
each VLAN and the end stations permitted to join the 

25 VLANs, As end stations are powered on or reconfigured, 
the Ethernet switches register the end stations wishing 
(and permitted) to join a particular VLAN with a LAN em- 
ulation server (LES. 602-R tor the red VLAN and 603-G 
for the green VLAN); registration with an LES consti- 

30 tutes membership within the corresponding VLAN. Vir- 
tual connections joining the Ethernet switches 301 , 302. 
303, the LECS 601 and the LAN emulation servers 
602-R, 602-G are established by an ATM swftch or hub 
401. and communication is effected via ATM links 501 

3S through 506, respectively. 

(0023] A multicast or broadcast frame received from 
an end station that is a member of, for example, the red 
VLAN, is forwarded by the Ethernet switch serving the 
end station to a broadcast and unknown server (BUS) 

40 function associated with LES 602-R Tne LES 602-R 
then forwards the frame to afl Ethernet switches in the 
network that have end stations that are members of the 
red VLAN, i.e., Ethernet switches 301 and 303. The 
Ethernet switches 301 and 303 in turn forward the mul- 

45 ticast or broadcast frame only to those Ethernet links 
that are connected to members of the red VLAN, Le , 
Ethernet links 201 and 205. In this way, multicast and 
broadcast frames are prevented from being transmitted 
to end stations outside the VLAN where the frame orig- 

50 inated, thereby relieving traffic congestion within the 
LAN as a whole. 

[0024] A primary function of the LECS 601 is to con- 
figure the VLANs, i.e., to inform new end stations wish- 
ing to join a particular VLAN of the address where the 
55 LES tor that VLAN can be found, in conventional net- 
works, however, no authentication of the new end sta- 
lions is performed. By using, say. the MAC address of 
an end station permitted to join a particular VLAN.apos- 
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stbfy unauthorized end station can register with the 
VLAN*s LES, teacfing to the previously discussed seco- 
ffty breaches. 

[0025] In accordance with the present invention, an 
authentication server (AS) 701, connected to the net- s 
work via an ATM fink 507, provides securty mechanisms 
for authenticating end stallions when they attempt to join 
a desired VLAN. The AS 701, for its part, is responsible 
tor checking the validity of new end stations and not let* 
ting them register with any LES unless they pass an aa>- w 
thentication "test*, which in an exemplary embodiment 
is administered using a key-based challenge-response 
algorithm. A network administrator can easily ensure 
that only the AS 701 and one new end station at a time 
possess appropriate keys for acVranistering and passing is 
the test R is within the scope of the present invention to 
provide different types of authentication tests, such as 
techniques based on passwords^ synchronized security 
cards, voice printing or finger printing^ The key consid- 
eration In afl cases is that successful authentication Is so 
possible orrfy if the new end station is genuinely author- 
ized to |om the oesiredvXAH 
[0026] if the AS 701 is connected to the network 
through an Bhemet fink and switch, the AS shouktnot 
share its Ethernet ink wdh other end stations to ensure 
that traffiedfrectedtothe AS is seen only by the AS. The 
ASrnaybetrrylementedasasland-aton^ 
vide enhanced security tor the algorithms and data it 
contains, or may be integrated w&h the LEGS 601. 
[0027] A sequence of steps tor end station 107-B to 3D 
join the red VUW accc*o %«| to the present i ndentio ns 



in which crty the steps nay Bring transmission of i 
mation between network components have been i 
trateoV ft is tobe understood that an a 35 
a p pl i es in the case of a new end station wishing to join 
the green VLAN. 



Step A. 



Step a 



StepC. 



End station 107-R constructs an Ethernet 
U^m^Ks consisting of a frdtf to header compris*- 
fcnga destination address and a source ad- 
dress (eg, the MAC address of end station 
107-R), as well as data to be exchanged 
The destination address may be the MAC 
address of the destination end terminal or a 
known broadcast address. 
End station 107-R transmits the frame ever 
Bhemet Ink 207 to Ethernet switch 303 in 
Ihe form of a "Datef message, using theCS- 
MACD protocol 

Ethernet switch 303 extracts the source ad- 
dress (the MAC address of end station 
107-fl) tram the Ethernet frame andouftsu&s 
an internal table to determine the virtual LAN 
(and LES) associated with the source art- 



Ethernet switch 303 sends a query, in the 
form of a ■ConfigRqst" message, to the 
LECS 601 asking for the identity of the LES 
associated with end station 107-R. 

StepE. LECS 601 sends an •Authenticate' mes- 
sage to AS 701 requesting authentication of 
end station 107-R 

Step F. Using a chaitenge-response authentication 
algorithm, AS 701 generates a plain number, 
such as a random number RN, and encrypts 
it using a secret key known only to the AS 
701 and end station 107-R to produce E-RN. 
Both RN and E-RN are returned to the LECS 
601 as a "DoChaJlenge* message. The se- 
cret key used to generate E-RN is never re- 
vealed by the AS 701 . 

Step G. The LECS 601 creates a frame containing a 
challenge to end station 107-R that includes 
RN received from AS 701 but does not in- 
clude E-RN. The frame is then sent in a 
"Challenge* message from the LECS 601 to 
the Ethernet switch 303 and subsequently 
relayed to end station 107-R 

Step H. End station 107-R encrypts RN received in 
the chaflenge using its secret key and the 
same authentication algorithm used by the 
AS 701. 

I. End station 107-R responds to the challenge 
with a "ChallengeResponse" message con- 
taining RN received from the LECS 601, 
along with its version of E-RN. The challenge 
response is relayed by Ethernet switch 303 
to the LECS 601. 
Step J. The LECS 601 compares the value of E-RN 
received from end station 1 07 -R to the value 
of E-RN received earlier from the AS 701. 

If the values match: 



B Onernef swifich 303 cannot find an asso- 
I LES by consulting its interna* taote. 



40 StepK. The LECS 601 consults its own interna) ta- 
bles to determine that end station 107-R is 
associa te d with the red VLAN managed by 
LES602-R LECS 601 sends a 'Notify" mes- 
sage to LES 602-R indicating that end sta- 
45 tionl 07-R is attempting to join the red VLAN; 

this indication includes the MAC address of 
end station 107-R 
Step L. The LECS 601 then sends the identity of 
LES 602-R in a "ConfigResp* message, re- 
sponding to the original query from Ethernet 
switch 303 at step D. 
Step M. If it does not currently have an ATM virtual 
connection to LES 602-R, Ethernet switch 
303 creates such a connection through ATM 
switch 401 using standard ATM signalling 
techniques. Ethernet switch 303 then sends 
a •JoinROjsr message for end station 107-R 
over this virtual connection to LES 602-R 



so 



55 



5 



9 



EP0924 900A2 



10 



Step N. Upon receipt of this registration message, 
LES 602-R enters the MAC address of end 
station 107-R into fts interna] tables and 
records the iderrtfty of Ethernet switch 303 
as the switch serving end station 107-R LES 
602-R sends a "JoinAck" message to Ether- 
net switch 303 acknowledging successful 
registration of end station 107-R as a mem- 
ber of (ha red VLAN. 

Step O. When Ethernet switch 303 receives the ar> 
ki lowtedgement to fts registration request, ft 
updates fts intemal tables to associate end 
station 107-R with the red VLAN managed 
by LES 60241 

tt the values do not match: 



StepKV 



The LECS6P1 sends a response to Ether- 
net switch 303 refloating that network ac- 
cess is denied to end station 107-R (not 
shown). 

Ethernet switch 303 discards al) frames n> 
cervedfrom end station 107-R and does not 
forward any frames to end station 107-R, 
thus isolating end station 107-R from the 



TO 



15 



20 



StepH. 



[0028] A second form of security attack involves a bo- 
gus Ethernet switch that attempts to extract infunrulkjn 
tromarietworkbyposirtga&aLANe 30 Step G. 

pie* if theatopprocedbresa^toflDwed by a new end 
station genuine^r authorised to enter the red WAN, the 
bogus Ethernet switch can, without actually co mpa ri n g 
the encrypted random numbers, pretend to grve the new 35 
end steftion permission to enter the red VLAN. From the 
new end Stefan's point of view, having expected to be 
"tot In" from the start, ft begins an exLfiartge of restricted 
information thai is now intercepted by the bogus Ether- 
net switch. 40 
[0009] To counter fts attack, the new end station 
may, upon responding to the challenge i ss ue d by the 
network, administer fts own test to verify authenticity of 
the issuer of the original challenge. Considering the net- 
work of RGUHE 2 and with reference to FIGURE 4. the 45 Step J. 
following sequence of steps not only provides network 
security by verifying tegpirnacy of a new end station 
1 07-R upon entering the network, but allows (legitimate) 
new end station 107-R to protect itself from bogus test 

so 



ss 



Step A. End station 107-R constructs an Ethernet 
frame consisting of a frame rteader compris- 
ing a destination address and a . source aoV 
dress (e g, the MAC address of end station 
107-R). as weB as data to be exchanged 
The destination address may be the MAC 
s destination end terminal or a 



known broadcast address. 

Step B. End station 1 07 -R transmits the frame over 
Ethernet link 207 to Ethernet switch 303 in 
the form of a 'Data* message, using the CS- 
MA-CO protocol. 

Step C. Ethernet switch 303 extracts the source ad- 
dress (the MAC address of end station 
1 07-R) from the Ethernet frame and consults 
an intemal table to determine the virtual LAN 
(and LES) associated with the source ad- 
dress. 

Step D. If Ethernet switch 303 cannot find an asso- 
ciated LES by consulting fts internal table, 
Ethernet switch 303 sends a query, in the 
form of a •ConfigRqst" message, to the 
LECS 601 asking for the identity of the LES 
associated with end station 107-R. 
Step E. LECS 601 sends an "Authenticate" mes- 
sage to AS 701 requesting authentication of 
end station 107-R 
Step F. Using a challenge-response authentication 
algorithm, AS 701 generates a plain number, 
such as a random number RN, and encrypts 
it using a secret key known only to the AS 
701 and end station 107-R to produce E-RN. 
Both RN and E-RN are returned to the LECS 
601 as a "OoChallenge" message. The se- 
cret key used to generate E-RN is never re- 
vealed by the AS 701 . 
The LECS 601 creates a frame containing a 
challenge to end station 107-R that includes 
RN received from AS 701 but does not in- 
clude E-RN. The frame is then sent in a 
"Challenge" message from the LECS 601 to 
the Ethernet switch 303 and subsequently 
relayed to end station 107-R 
End station 107-R encrypts RN received in 
the challenge using its secret key and the 
same authentication algorithm used by the 
AS 701. 

End station 107-R generates a second plain 
number, such as a random number RN2. 
and encrypts it using its secret key to pro- 
duce E-RN2. 

End station 107-R responds to the challenge 
with a 'OiallengeRespcnse' message that 
includes RN received from LECS 601. along 
with RN2 and its version of E-RN. but does 
not include E-ftN2. The challenge response 
is relayed by Ethernet switch 303 to LECS 
601. 

Step K. After first ensuring that end station 1 07-R is 
legitimate by verifying that the value of E-RN 
received from end station 107-R matches 
the value of E-RN received from AS 701, 
LECS 601 sends a "Challenge" message to 
AS 701 that includes RN2 and the MAC ad- 
dress of end station 107-R. 
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Step L AS 701 encrypts RN2 received n the chal- 
lenge using the authentication algorithm and 
the secret key for end station 107-R and re- 
turns its version of E-RN2 to LECS 601 In 
the form of a xataltengeftesponse* mes- & 
sage. 

StepM. LECS 601 consults its own interred tables to 
determine that end station 107-R is associ- 
ated wfih the red VLAN managed by LES 
602-R LECS eoi sends a Tftotify* message *> 
LES 602-R VKficatsrtg that end station 1074) 
is attempting to join the red VLAN; thisfndi- 
cation includes the MAC address of end sta- 
tion 107-R, the fartdom number RN2 re- 
ceived in the challenge from end station rs 
107^ and the encrypted landom number E- 
RN2 cateifeted by AS 701 . 

StepM The LECS 601 then sends the identity of 
LES 602-R in a TtonftgResp* message. n> 
spondng to the original ojueiy bom Ethernet 20 
switch 303 at Step D. 

Step O. If It does not currently have an ATM virtual 
connection to LES 602-H Bhemet switch 
303 creates such a ccnrncticn through ATM 
switch 401 using standard ATM stgrtaffirtg 2s 
techniques. Bhemet switch 303 then sendfc 
a •JonRqsr message tor end station 107-R 
ever this virtual connection to LES 602-R 

Step P. Upon receipt of tms registration message, 

LES 602-R enters the MAC address of end 30 
s&tkm 107-R into its internal tabtes end 
records the Kfentty of Bhemet switch 303 
as to sw ft rftser w ig end station 107-R LES 
feQs£-R sends a VociAck* message to Ether- 
nrt swdch 303 acfoowtedjgptg successful as 
registration of end station 107-R as a mem- 
ber of the red VLAN. 

Step Q. When Ethernet switch 303 receives the ac- 
fcnowtedoemenltoas registration request, ft 
upd btes te internal tabtes to ass oc iate end <o 
station 107-R wdh the red VLAN managed 
by LES 602-R 

Step R. Using the rrformation received from LECS 
601, LESeOg^aJsosenfeaXhattenp^Re- 
spcnse* message to end station 107-R, via 45 
Ethernet swish 303, that jncfudes the ran- 
dom number RN2 generated by end station 
107-R and the encrypted random number E- 
RN2 calculated by the AS 701 . 

Step S. When the challenge response is received, so 
end station 107-R compares tho vatue of E- 
RN2 received mam LES 602-R with the value 
computed loca fly It the values match, end 
station 107-R is assured that the network 
connection is legitimate. 56 

(00301 It is to be u n d erstood (hat aftemate embooV 
merits of (he present swenbbn exist in which ATM 



switches are not employed, eliminating any requirement 
tor a LAN emulation configuration server or LAN emu- 
lation servers. In such a case, a specific member of each 
VLAN would be designated as the *VLAN server* and 
configuration of the network could easily be relegated 
to the authentication server. The entire authentication 
procedure could be accomplished by communication 
between the authentication server and the designated 
VLAN servers. 

[0031] While the preferred embodiment of the inven- 
tion has been described and illustrated it will be appar- 
ent to one skilled in the art that variations in the design 
may be made. The scope of the invention, therefore, is 
only to be limited by the claims appended hereto. 



Claims 

1. A local area network, comprising a plurality of end 
stations and an authentication server, the LAN be- 
ing segmented into a plurality of virtual local area 
networks (VLANs), each VLAN comprising at least 
one member end station, j*herem the authentica- 
tion server keeps track of which end stations are 
members of which VLAN, keeps track of which end 
stations are authorized to join which VLAN and per- 
forms authentication of end stations joining a VLAN. 

2. A local area network, comprising: 

a plurality at end stations; 

a plurality of LAN emulation servers (LESs); 

a LAN emulation configuration server (LECS) ; 

and 

an authentication server (AS) ; 
the LAN being segmented into a plurality of vir- 
tual local area networks (VLANs), each VLAN 
comprising a respective LES and at least one 
member end station, each LES keeping track 
of which end stations are members in the re- 
spective VLAN. the LECS keeping track of 
which end stations are members of which 
VLAN; 

wherein the authentication server keeps track 
of which end stations are authorized to join 
which VLAN and performs authentication of 
end stations joining a VLAN. 

3. A local area network of claim Z wherein the LECS 
is merged with the AS. 

4. A local area network as claimed in any of claims 1 
to 3 being a token ring LAN. 

5. A local area network as claimed in any of claims 1 
to 3 being an Ethernet LAN. 

6. A beat area network as claimed in cteim 5 further 
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compri si ng a plurality of Ethernet switches, each 
switch cornmuntcafing with at (east one end station 
through an Ethernet communication fink. 

7. A method for securely adding a new end station to 5 
a tocat area network (LAN), the LAN comprising a 
plurality of end stations and an authentication serv- 
er (AS), the LAN being segmented into a pturafity 
of virtual local area networks (VLANsX each VLAN 
o u m pi feu tg at least one member end station, where- to 
in the authentication server keeps track of which 
end stations are members of which VLAN, keeps 
track of which end stations are permitted to join 
which VLAN and performs authentication of end 
stations pirtirtg a V1AN, me method 15 
steps of: 

the new end station servfing to the AS a mes- 
sage identifying both the new end station and 
a desired VLAN; 20 
the new end station taking a first authentication 
test; and 

upon successful authentication of the new end 
station, the AS sending to the new end station 
a message imitating that the new end station 2s 
is permitted to Join the desired VLAN. 

& A method as daimed vt ctaim 7, further comprising 
the steps of! 

30 

the new end stetion senctng to the AS a mes- 
sage ijenDfyng dodi me new era sanon and 
a desired WAN; 

the AS station Baking a second authentication 
test; and 35 
upon success f ul authentication of the AS, the 
new end station joining the desired VLAN. 

0. A method as daimed in cfatm 8t wherein the new 
end station stores a second fist of passwords and 40 
the second authentication test consists of! 

the AS comparing sending a m essage to the 
new end station comprising a third password; 
and 45 
the new end station conjuring the third pass- 
word to a fourth password contain 
end fist of pa ss w o r ds; 

wheremauthenticatkncf theASissakltoha^ 
been successful if the third and fourth pass- so 
words are identical 

10. ArnemcrtascfeHrr^irida™ 
authentication test consists of. 

56 

the new end station generating a third encn/pt- 
ed number using a second ptain number and a 
second atgorihm known to the AS and to the 



new end station; 

the new end station sending to the AS a mes- 
sage comprising the second plain number, 
the AS generating a fourth encrypted number 
using the second plain number and the second 
algorithm; 

the AS sending to the new end station a mes- 
sage comprising the second plain number and 
the fourth encrypted number; and 
the new end station comparing the third en- 
crypted number to the fourth encrypted 
number, 

wherein authentication of the AS is said to have 
been successful if the third and fourth encrypt- 
ed numbers are identical. 

11. A method as claimed in any erf ctei^ 

in me AS sieves a first listed passwords and the first 
authentication test consists of : 

the new end station sending a message to the 
AS comprising a first password; and 
the AS comparing the first password to a sec- 
ond password contained In the first list of pass- 
words; 

wherein authentication of the new end station 
» said to have been successful if the first and 
second passwords are identical. 

12. Arne«hodasclaimedinanyc4clairY«7to10, where- 
in the first authentication test consists of: 

the AS generating a first encrypted number us- 
ing a plain number and a first algorithm known 
to the AS and to the new end station; 
the AS sencfing to the new end station a mes- 
sage comprising the plain number; 
the new end station generating a second en- 
crypted number using the plain number and the 
first algorithm; 

the new end station sending to the AS a mes- 
sage comprising the plain number and the sec- 
ond encrypted number; and > 
the AS comparing the first encrypted number to 
the second encrypted number, 
wherein authentication of the new end station 
is said to have been successful if the first and 
second encrypted numbers are identical. 

13. A method as claimed in claim 12, wherein the first 
plain number is a random number. 

14. A method as claimed in damn 12, wherein the first 
algorithm is a key-based encryption algorithm. 

15. A method for securely adding a new end station to 
a local area network (LAN), the LAN comprising a 
pturafity of end stations, a plurality of LAN emulation 
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servers (UESs), a LAN emulation oonftgMration 
server (UECS) and an authentication server (AS), 
each switch communicating with at least one end 
station, the new end station being connected to a 
switch, the LAN being segmented into a plurality of 5 
virtual local area networks (VLANs), each VLAN 
oorriprtsvtga respective LESand at least ortemenv 
ber end station, each UES keeping back of which 
end stations are currently members in the respec- 
tive VLAN, the LEGS keeping track of which end u> 
stations are permitted to be members of which 
VLAN, wherein the authentication server performs 
authentication of end stations joining a VLAN, the 
method comprising the steps ofc 

15 

the new end station sending to dsswdchames* 
sage- identifying both the new end station and 
a desired VLAN; 

the switch sending to the UECS a message re- 
questing identity of the LES corresponding to so 
the dessred VLAN; 

the LEGS sending to the AS a message re- 
cvjesortg auinenucHDon ot trie new end staoon; 
the AS ger teiating a first eiiciyuteUnurnberus* 
ihgac4atn number and an algorithm known to 
the AS arid to the new end station; 
the AS sending to the LEGS a message cam- 
prising tiro rnirnber and the Rist encrypted 
number; 

the LBCS sending to the swteh a mes s age 30 

comprising the ptatn number; 

the switch sentting to the new end station a 

message compnsvtg the pftxn number; 

the new end station generating a second en- 

crypted number using the ptatn number and (he 35 

algorithm^ 

the new end station sending to the swtch a 
message comprising the pfetvt number and the 
second encrypted number, 
the switch serving to the LEGS a message 40 
compnsvtg the plain number and the second 
encrypted number, 

the LEGS ccrnpamg the first encrypted 

number to the second encrypted number; 

the LEGS sencftng to the LES corre sp oridbtg to 4S 

the desired VLAN a message Mfcatinglhalfhe 

new end station intends to Join the desired 

VLAN; 

the LECS sending to the switch a message 
compnsvtg identity of the LES oorrespondng to so 
the desired VLAN; 

(heswtfic^seno%^totheLEScorrespond»tgto 
the desired VLAN a message requesting that 
tie new end station join the desvedVLANt and 
the LES corresponding to (he desired VLAN & 
serving to the switch a message trKticatingthat 
the new end station is aflowad to join the de- 
sired VLAN. 



16. A method as claimed in any of claims 7 to 15, where- 
in the new end station is identified by a 48-bit media 
access control address. 

17. Ametrtc<Jasc*aimedinanyo*claims7to15, where- 
in the new end station is identified by a 32-bit Inter- 
net Protocol address. 

t& Ametrtodasdaimedmanyd 

in the new end station is identified by a physical port 
on an Ethernet switch. 
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Fig. 3 
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